HIPAA compliance alert: how to defend against a data breach

The challenges of defending and responding to a data breach are appearing with increasing frequency in front page headlines, with large corporations ranging from retailers and banks to healthcare providers revealing that their customers’ personal information has been hacked. The multitude of devices and programs which store data has dramatically increased the number of potential vulnerabilities which may be exploited by a hacker. Because there are an extraordinary number of ways in which hackers can gain access to an IT system, and because the Internet has created a marketplace for the sale of personal data, the frequency of intrusion efforts and the number of intrusions is rapidly increasing.

Today’s environment has created an imperative for all healthcare providers to harden their defenses against a data breach in order to: (1) protect patient information; (2)  mitigate the risk of fines which can be imposed under HIPAA; and (3) mitigate damages which may be claimed by patients through lawsuits alleging negligence and breach of contract. The risks include not only external threats such as hackers, but internal risks arising from errors related to the storage and disposal of protected health information (“PHI”). In fact, according to the most recent report of Office for Civil Rights of the U.S. Department of Health and Human Services (“OCR”) to Congress related to data breaches, hackers only accounted for nine percent of data breaches.

Two recent HIPAA settlements are instructive with respect to the need for healthcare providers to dramatically increase their discipline with respect to their internal policies and procedures that protect their patient data. Affinity Health Plan replaced its photocopy machines and did not erase electronic PHI (“ePHI”) of 344,579 patients which resided on the hard drives of those machines. The fine in this case was $1,215,780. A physician conducting research placed ePHI of 6,800 patients on his computer which resulted in inadvertent disclosure of the ePHI. Two affiliated hospitals, New York –Presbyterian Hospital and Columbia University Medical Center paid a combined fine of $4.8 million.

Hackers are increasingly posing a threat to a provider’s financial security. One medical group recently was attacked by malware which infected its servers and encrypted all of the group’s electronic medical records. The attacker demanded a ransom payment to be paid in bitcoin in exchange for giving the medical group access to the encryption key. Hackers have also been able to gain access to the networks of businesses and have been able to direct banks in which the businesses have deposits to wire funds to accounts controlled by hackers.

The first critical step in defending against data breaches is to conduct a disciplined risk assessment, which is required under the HIPAA Security Rules applicable to healthcare providers and their business associates. This is critical in order for a provider to create an inventory of what ePHI exists, where it is stored and what types of controls exist to prevent a breach. A risk assessment also determines the ability of a provider to recover data if the data becomes corrupted, and the ability to recover from a disaster if the data is lost. In several cases with fines in excess of $1 million, the OCR has emphasized that a factor in the magnitude of the fine was the failure of the provider to have conducted a risk assessment.

Chuhak & Tecson, P.C. can help healthcare providers understand what vulnerabilities they may have with respect to their defense of the PHI of their patients. Chuhak & Tecson is a Chicago law firm with 65 attorneys. We can assist clients as they conduct a thorough risk assessment, update HIPAA Security and Privacy Policies and provide training to the workforce of healthcare providers. We can also help healthcare providers develop a breach response plan and review cyber-insurance policies.

If you would like more information about these services, please contact one of the team below to discuss how we might assist your organization in strengthening its HIPAA security defenses.

This Chuhak & Tecson, P.C. communication is intended only to provide information regarding developments in the law and information of general interest. It is not intended to constitute advice regarding legal problems and should not be relied upon as such.

Client Alert authored by: Andrew P. Tecson, Esq. and Kimberly T. Boike, Esq.